Re: Security vulnerability of open authentication when using Splash page?

JustTakeTheFirstStep · ‎06-03-2024

We are using Active directory combined with Splash page.
I must use open authentication to use Splash pages.
Open authentication does not allow the use of WPA encryption between the PC client and the AP.
Is this a security vulnerability?
What steps do we need to take to ensure that we meet the requirements of wireless security?

aleabrahao · ‎06-03-2024

It is not necessarily a security risk, as despite being an "open" network you will be requiring authentication. Of course, you won't have encryption, which is exactly why this is a type of network most suitable for Guest users.

https://documentation.meraki.com/MR/MR_Splash_Page/Integrating_Active_Directory_with_Sign-On_Splash_Page_For_MR_Access_Points

I am not a Cisco employee. My suggestions are based on documentation of Meraki best practices and day-to-day experience.

Please, if this post was useful, leave your kudos and mark it as solved.

ConnorL1 · ‎06-03-2024

Whilst your wireless traffic isn't encrypted, the HTTPS session between your client and the Splash Page server is.

If the SSID is primarily for employees/staff/trusted users, I would leverage 802.1X RADIUS instead. Yes the user won't get a pretty splash page, but it would then ensure the wireless traffic is encrypted.

Philip D'Ath · ‎06-04-2024

You can use a PSK when using AD splash page authentication.

You could also get adventurous if you have WiFi6 APs and try our OWE encryption.
https://documentation.meraki.com/MR/Wi-Fi_Basics_and_Best_Practices/WPA3_Encryption_and_Configuration_Guide